IETF Logo Mail Archive

Re: [Softwires] [dhcwg] Is tunnelling DHCP multicast messages in 6rd unicast tunnel to BR acceptable for DHCP redundancy?//re: About draft-guo-softwire-6rd-ipv6-config-00

Xu Xiaohu <xuxh@huawei.com> Fri, 20 August 2010 02:54 UTC

Return-Path: <xuxh@huawei.com>
X-Original-To: softwires@core3.amsl.com
Delivered-To: softwires@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8BAA3A67D1; Thu, 19 Aug 2010 19:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.321
X-Spam-Level: **
X-Spam-Status: No, score=2.321 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, CN_BODY_35=0.339, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_CHARSET_FARAWAY=2.45, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYs1zPy1H-GZ; Thu, 19 Aug 2010 19:54:51 -0700 (PDT)
Received: from szxga04-in.huawei.com (unknown [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id 9ECB83A6781; Thu, 19 Aug 2010 19:54:51 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L7F00107K43K2@szxga04-in.huawei.com>; Fri, 20 Aug 2010 10:55:15 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L7F00HZSK430G@szxga04-in.huawei.com>; Fri, 20 Aug 2010 10:55:15 +0800 (CST)
Received: from x41208c ([10.110.98.38]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0L7F001Y3K43DL@szxml06-in.huawei.com>; Fri, 20 Aug 2010 10:55:15 +0800 (CST)
Date: Fri, 20 Aug 2010 10:57:08 +0800
From: Xu Xiaohu <xuxh@huawei.com>
In-reply-to: <159275A1-FA26-4A9A-9F54-0506C9C3DD7A@nominum.com>
To: 'Ted Lemon' <Ted.Lemon@nominum.com>
Message-id: <002601cb4013$61360e80$26626e0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: quoted-printable
Thread-index: Acs/sUr8lzq7gsfcQRaUfXRLYyf/1gAX26IA
Cc: softwires@ietf.org, dhcwg@ietf.org
Subject: Re: [Softwires] [dhcwg] Is tunnelling DHCP multicast messages in 6rd unicast tunnel to BR acceptable for DHCP redundancy?//re: About draft-guo-softwire-6rd-ipv6-config-00
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2010 02:54:52 -0000

> -----邮件原件-----
> 发件人: Ted Lemon [mailto:Ted.Lemon@nominum.com]
> 发送时间: 2010年8月19日 23:15
> 收件人: Xu Xiaohu
> 抄送: 'Ole Troan'; softwires@ietf.org; dhcwg@ietf.org
> 主题: Re: [dhcwg] Is tunnelling DHCP multicast messages in 6rd unicast
tunnel
> to BR acceptable for DHCP redundancy?//re: [Softwires] About
> draft-guo-softwire-6rd-ipv6-config-00
> 
> On Aug 19, 2010, at 1:27 AM, Xu Xiaohu wrote:
> > With multicast, many DHCP authentication mechanisms will not be
available
> > any more, e.g., IPsec mechanism for securing the messages exchanged
between
> > servers and relay agents, and CGA usage for DHCP server authentication.
By
> > the way, is the 6rd domain deemed as a secure network for DHCP message
> > exchange?
> 
> I don't see how you would use IPsec for authenticating DHCP from the
client--how
> would the client choose a security association?   Hm, okay, maybe that
works

Here I'm talking about using IPsec between relay agents and servers.

> because the client has the DHCP server's IP address.   Still, this doesn't
seem
> to fit the problem very well--the client would have to go around with a
long
> list of server IP addresses and security associations.
> 
> If CGA authentication is one of the major goals, a solution to this would
be
> for the client to request a unicast response.   Servers that don't
implement
> that would respond normally; servers that do implement it would respond
via
> unicast to the client's unicast address, and could sign their response
using

As been said many times before, if the DHCP client or the relay agent has no
knowledge of intended DHCP servers and sends a DHCP message to the ALL
ALL_SERVERS_OR_RELAY-AGENT_ADDRESS, any DHCP server, even the rogue server
could send a unicast response with its own CGA signature. That is to say,
the CGA usage is almost meaningless in this case.

> CGA.   The client could also send a CGA-based signature along with the
message
> containing the unicast request--since the CGA address the client would be
> providing will only work if it belongs to the client, this is useful
> authentication.
> 
> > I admit that the DHCP relay agent on the CPE could relay the
> > information-request message to ALL_SERVERS_OR_RELAY-AGENT_ADDRESS in a
6rd
> > tunnel towards a 6rd BR, However, is it actually an optimal choice?
> 
> We have to remember that "optimal" can mean a lot of different things in
this
> context.   I agree that in principal what you are proposing is optimal in
some
> cases, but overall, I am concerned that it creates a lot of problems for a
very
> small benefit--thus all the questions.

Here I just propose that the DHCP relay agent on a 6rd CPE could be
configured automatically with one or more DHCP server addresses by using a
new option in DHCPv4 which has been used by 6rd CPEs to automatically
configure the 6rd AFBR addresses. Can you explain more about why it creates
a lot of problems?

Best wishes,
Xiaohu

v2.29.0 | Report a Bug | By Email | System Status